>> Thunderbird "advertises" end-to-end-encryption only and confuses users >> that actually use/benefit from SMTP-DANE where it tells "unencrypted".
>IMHO correctly. Email that isn't end-to-end encrypted *is* actually >unencrypted in transit. TLS encrypts transmission only, but the message is >available in unencrypted form and can be >intercepted on both sending and >receiving server (and possibly intermediate relaying servers, if any) by their >administrators. > >So it's correct to indicate such email as unencrypted. >-- >Regards, > Jaroslaw Rafa > r...@rafa.eu.org Hi Jaroslaw, I disagree. - without additional authenticated encryption like SMTP-DANE, your end-to-end encrypted messages are only protected w.r.t. confidentiality (except sender and recipient addresses), there is no protection w.r.t. integrity, that come with modern TLS versions, and also active attackers can cause messages not only to be changed but also dropped - only prevented by authentication. In other words, you would have to go for both encryption approaches to ensure reliability from a userĀ“s perspective. - there is no standardized key management (almost nobody uses the respective RFCs), and https://keys.openpgp.org/ imho has issues, preventing mass adoption. And if there were mass adoption, we would see end-to-end encrypted spam that is not caught by spam filters. - on the usability aspects there are publications "Johnny (still) cant encrypt". I regularly see key exchanges via email being suggested, which I consider bad practice (or unnecessary with SMTP-DANE). - if you do not trust your administrators, pick a different one service, at least on your side. Even if admins cannot read your encrypted messages, they can change or delete them. Moreover, most organizations either use a gateway or centrally manage private keys. Actually they have to in order to fulfill business needs and GDPR. I know there are some data protection authorities and enthusiasts out there promoting usage of end-to-end encryption, but I think that is a dead end. Regards, Joachim _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
